Nationwide pays $5.5 million for 2012 breach of 1.27 million accounts

Nationwide Mutual Insurance and its subsidiary Allied Property and Casualty Insurance settled with 33 states for $5.5 million on Wednesday, stemming from a 2012 multi-state data breach.

The settlement will cover the costs of litigation, the investigation and consumer protection law enforcement -- among other fees. As part of the settlement, Nationwide agreed to improve its data security.

Cybercriminals hacked into Nationwide’s systems in 2012 and stole the personal data of 1.27 million clients. Some of the affected individuals were Nationwide customers, but others had only obtained quotes from the company -- and yet the data was still stored.

The hackers gained access to the system by leveraging a flaw in a third-party application. The reason for the sizeable settlement was the breach could have been prevented: The third-party vendor released the patch for the vulnerability three years prior to the incident.

Nationwide didn’t apply the patch and instead waited until after the breach to fix the flaw.

The investigation that followed was led by the attorney generals for Washington, DC, New York, Florida, Maryland and Connecticut.

“Nationwide demonstrated true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process,” said New York Attorney General Eric T. Schneiderman.

“This settlement should serve as a reminder that companies have a responsibility to protect consumers’ personal information regardless of whether or not those consumers become customers,” he continued. “We will hold companies to account if they don’t.”

The settlement requires Nationwide update its security practices to ensure patches are applied in a timely manner. Further, the company is required to hire a technology officer tasked with monitoring and managing software and security updates.

The technology officer will also supervise employees responsible for evaluating and coordinating maintenance, management and application of security patches.

Over the next three years, Nationwide must update its policies for how personal data is stored, conduct regular inventories of patches and updates, maintain and use tools to monitor the state of security for its systems and perform internal assessments of patch management practices.

Nationwide will also need to hire a third-party vendor to perform an annual audit of its practices for collecting and storing personal information.